Chapter 8

Question 1

Identities

Answer 1

The collection of user information, credentials, rights, roles, group memberships, and other attributes and information about individuals and accounts—are among the most critical assets that an organization owns. Identities, and the access and rights that we grant to them, provide the keys to systems, services, and data, making them targets for both internal and external attackers.

Question 2

Authenticatiion, Authorization and Accounting

Answer 2

Framework that is used to control access to computers, networks, and services. AAA systems authenticate users by requiring credentials like a username, a password, and possibly a biometric or token-based authenticator. Once individuals have proven who they are, they are then authorized to access or use resources or systems.

Question 3

IAM

Answer 3

IAM systems are built to create, store, and manage identity information as well as the permissions, groups, and other information needed to support the use of identities.

Question 4

Directory Services

Answer 4

Are used in networks to provide information about systems, users, and other information about an organization.

Question 5

LDAP

Answer 5

Commonly deployed as part of an identity management infrastructure and offer hierarchically organized information about the organization

Question 6

Organizational Units (OUs)

Answer 6

Security & Human Resources. Each of these units includes a number of entries labeled with a Common Name (CN)

Question 7

TACACS+

Answer 7

A Cisco-designed extension to TACAS, the Terminal Access Controller Access Control System. It uses TCP traffic to provide authentication, authorization, and accounting services. TACACS+ suffers from a number of flaws, including a lack of integrity checking for the data it sends, allowing an attacker with access to the traffic it sends to make arbitrary changes or to use replay attacks against the TACACS+ service. TACACS+ also has encryption flaws that can lead to compromise of the encryption key. This means TACACS+ systems that provide AAA services for network devices should operate on an isolated administrative network if possible.

Question 8

RADIUS

Answer 8

The Remote Authentication Dial-in User Service, is one of the most common AAA systems for network devices, wireless networks, and other services. RADIUS can operate via TCP or UDP and operates in a client-server model. RADIUS sends passwords that are obfuscated by a shared secret and MD5 hash, meaning that its password security is not very strong. RADIUS traffic between the RADIUS network access server and the RADIUS server is typically encrypted using IPSec tunnels or other protections to protect the traffic.

Question 9

Kerberos

Answer 9

Which unlike TACACS+ and RADIUS, is designed to operate on untrusted networks and uses encryption to protect its authentication traffic. Users in Kerberos, called principals, are composed of three elements: the primary (frequently the username), the instance (used to differentiate similar primaries), and the realm, which consists of groups of principals. Realms are often separated on trust boundaries and have distinct key distribution centers (KDCs). Figure 8.3 shows the basic Kerberos authentication flow.

Question 10

SSO

Answer 10

Many web applications rely on single sign-on (SSO) systems to allow users to authenticate once and then to use multiple systems or services without having to use different usernames or passwords.

Question 11

Share Authentication

Answer 11

Shared authentication schemes are somewhat similar to single sign-on and allow an identity to be reused on multiple sites while relying on authentication via a single identity provider. Shared authentication systems require users to enter credentials when authenticating to each site, unlike SSO systems.

Question 12

OpenID

Answer 12

An open source standard for decentralized authentication. OpenID is broadly used by major websites like Google, Amazon, and Microsoft. Users create credentials with an identity provider like Google; then sites (relying parties) use that identity.

Question 13

OAuth

Answer 13

An open authorization standard. OAuth is used by Google, Microsoft, Facebook, and other sites to allow users to share elements of their identity or account information while authenticating via the original identity provider. OAuth relies on access tokens, which are issued by an authorization server and then presented to resource servers like third-party web applications by clients.

Question 14

OpenID Connect

Answer 14

Is an authentication layer built using the OAuth protocol.

Question 15

Facebook Connect

Answer 15

Also known as Login with Facebook, is a shared authentication system that relies on Facebook credentials for authentication.

Question 16

Role-Based Access Control (RBAC)

Answer 16

Uses roles associated with job functions or other criteria. Roles are matched to permission sets appropriate to those roles, and then users or other objects like a system or software package are assigned role. Constraints are: uses roles associated with job functions or other criteria. Roles are matched to permission sets appropriate to those roles, and then users or other objects like a system or software package are assigned role; Subjects can use permissions only if the subject’s active role is authorized to use it; The subject’s active role must be one it is authorized to have.

Question 17

Attribute-Based Access Control (ABAC)

Answer 17

Gives users rights based on policies. Policies use collections of attributes to determine which access rights to grant, thus building logic-based collections of rights. ABAC tends to be used when a flexible, context-sensitive access control model is required. Combining attributes that describe the subject (like their role, division, or other personal attributes), the action they are trying to perform, attributes of the object that they are attempting to access or use, and environmental attributes like time of day or location allows complex access control logic with fine-grained control.

Question 18

Mandatory Access Control (MAC)

Answer 18

Systems rely on the operating system to control what subjects can access and what actions they can perform. Due to this design, MAC usually relies on a system administrator to implement access control policies. Since it is relatively rigid, MAC implementations have typically been associated with military systems, although an increasing number of operating systems and security packages implement MAC capabilities.

Question 19

Rule-Based Access Control

Answer 19

Systems use a set of rules implemented by an administrator. Access control lists (ACLs) are typically associated with each object, and rules are checked against that ACL when access is requested.

Question 20

Discretionary Access Control (DAC)

Answer 20

Systems delegate control to the administrators or owners of protected resources like systems or data. This allows delegated control but requires trust in the choices that owners and administrators make, and it can also cause issues due to a lack of central access control.

Question 21

Manual Review

Answer 21

Processes to validate roles and rights, particularly when staff members change jobs or take on a new role. Staff who are charged with permissions management cringe when they hear a request for rights like “Just make my new employee’s rights match the person currently in the role” because that person may have other rights that are not appropriate to the role.

Question 22

Personnel-based

Answer 22

Identity security, which includes training and awareness, as well as threats like insider attacks, phishing, and social engineering

Question 23

Endpoints

Answer 23

Their role in attacks on identity, including capturing credentials via local exploits; screen capture and keyboard capture applications; local administrative rights; and how password stores, tokens, and other credentials are stored on local systems and devices like phones and tablets

Question 24

Server-based

Answer 24

Exploits, which can target the systems that run identity services, or which can attack the servers and send identity and authentication data to AAA services

Question 25

Applications and services

Answer 25

That provide, consume, and interact with identity systems

Question 26

Roles

Answer 26

Rights, and permissions that are associated with users and groups

Question 27

Least Privilege

Answer 27

Which states that users should be provided only with the least set of privileges or permissions required to perform their job function.

Question 28

Privilege Creep

Answer 28

The steady accrual of additional rights over time as account owners change roles, positions, or responsibilities. Privilege creep directly conflicts with the concept of least privilege since accounts should not have rights that aren’t required for their current role

Question 29

Impersonation

Answer 29

Attacks occur when an attacker takes on the identity of a legitimate user. Security issues like OAuth open redirects discussed earlier in this chapter can allow impersonation to occur.

Question 30

MitM

Answer 30

Attacks rely on accessing information flow between systems or services. End-to-end encryption of sessions or network links can help reduce the chance of a successful MitM attack, unless attackers control endpoints or have the encryption keys.

Question 31

Session Hijacking

Answer 31

Focuses on taking over an already existing session, either by acquiring the session key or cookies used by the remote server to validate the session or by causing the session to pass through a system the attacker controls, allowing them to participate in the session. Much like impersonation and MitM attacks, securing the data that an attacker needs to acquire to hijack the session, either via encrypting network sessions or links or on the local system, can help limit opportunities for session hijacking.

Question 32

Privilege Escalation

Answer 32

Attacks focus on exploiting flaws to gain elevated permissions or access. A successful privilege escalation attack can allow a normal or an untrusted user to use administrator or other privileged access. Privilege escalation frequently relies on software vulnerabilities, requiring administrators to ensure that local applications, services, and utilities are not vulnerable.

Question 33

Rootkits

Answer 33

Combine multiple malicious software tools to provide continued access to a computer while hiding their own existence. Fighting rootkits requires a full suite of system security practices, ranging from proper patching and layered security design to antimalware techniques like whitelisting, heuristic detection techniques, and malicious software detection tools.

Question 34

Context-Based Authentication

Answer 34

Allows authentication decisions to be made based on information about the user, the system the user is connecting from, or other information that is relevant to the system or organization performing the authentication.

Question 35

Identity as a Service (IDaaS)

Answer 35

Services provide authentication services, typically as a cloud-hosted service. IDaaS solutions typically provide features that include the following: Identity life cycle management, which consists of technologies and processes to create, provision, and manage identities for systems, services, and even other cloud services. Directory services, using LDAP, Active Directory, or another directory technology. Access management with both authentication and authorization capabilities

Question 36

Federate Identity

Answer 36

Process of linking an identity and its related attributes between multiple identity management systems.

Question 37

Identity Provider (IDP)

Answer 37

Members of a federation must provide identities, make assertions about those identities to relying parties, and release information to relying parties about identity holders. The identities and related data must be kept secure. Identities (and sometimes attributes) have to be validated to a level that fits the needs of the federation, and may have user-level controls applied to their release.

Question 38

Service Provider (SP)

Answer 38

Members of a federation must provide services to members of the federation, and should handle the data from both users and identity providers securely.

Question 39

SAML (Authorization, Authenticaiton, Potential Security Risks, Common Uses)

Answer 39

Authorization: Yes
Authentication: Yes
Potential Risks: Message Confidentiality, Protocol usage and processing risks, Denial of Service
Common Uses: Enterprise Authentication and authorization, particularly in Linux-centric environments

Question 40

OpenID (Authorization, Authenticaiton, Potential Security Risks, Common Uses)

Answer 40

Authorization: No
Authentication: Yes
Potential Risks: Redirect manipulation, Message confidentiality,Replay attacks, CSRF/XSS attacks, Phishing
Common Uses: Authentication

Question 41

OAuth2 (Authorization, Authenticaiton, Potential Security Risks, Common Uses)

Answer 41

Authorization: Yes,
Authenticaiton: Partial
Potential Risks: Redirect manipulation, Message confidentiality, Authorization or resource server impersonation
Common Uses: API and service authorization

Question 42

ADFS (Authorization, Authenticaiton, Potential Security Risks, Common Uses)

Answer 42

Authorization: Yes
Authentication: Yes
Potential Risks: Token Attacks (Replay, Capture)
Common Uses: Enterprise authentication and authorization, particularly in Windows-centric environments

Question 43

SAML

Answer 43

Is an XML-based language used to send authentication and authorization data between identity providers and service providers. It is frequently used to enable single sign-on for web applications and services because SAML allows identity providers to make assertions about principals to service providers so that they can make decisions about that user. SAML allows authentication, attribute, and authorization decision statements to be exchanged.

Question 44

ADFS

Answer 44

Is the Microsoft answer to federation. ADFS provides authentication and identity information as claims to third-party partner sites. Partner sites then use trust policies to match claims to claims supported by a service, and then it uses those claims to make authorization decisions.

Question 45

OAuth

Answer 45

Protocol provides an authorization framework designed to allow third-party applications to access HTTP-based services. It was developed via the Internet Engineering Task Force (IETF) and supports web clients, desktops, mobile devices, and a broad range of other embedded and mobile technologies, as well as the service providers that they connect to. OAuth provides access delegation, allowing service providers to perform actions for you.

Question 46

OpenID Connect

Answer 46

Is often paired with OAuth to provide authentication. It allows the authorization server to issue an ID token in addition to the authorization token provided by OAuth. This allows services to know that the action was authorized and that the user authenticated with the identity provider.